Solved

Externally access Untangle via Fritz Box modem/router

Posted on 2014-04-10
7
681 Views
Last Modified: 2014-05-08
I have a Untangle 10 box set up behind a Fritz.Box modem/router. I have been able to set up the dynamic DNS on Fritz.box and is reachable externally. However, my ultimate goal is to allow me to access the Untangle box externally and to also have OpenVPN set up.

Unfortunately, I am have trouble getting to access the Untangle server.

I'l describe what I have set up on Fritz.Box and then Untangle.

Dynamic DNS:
account set up with: NOIP.COM
Host: mydynamicdns.no-ip.biz

Fritz.Box:

Internet > Permit Access > Dynamic DNS
Dynamic DNS provider: no-ip.com
Domain name: mydynamicdns.no-ip.biz
username: <my username>
password: <my password>
Internet > Permit Access > Remote Access
User name: <my username>
password: <my password>
Use HTTPS port other than the default HTTPS port 443: ticked
other HTTPS port: 450
IP Address for remote access

Access the Fritz.box outside of my network works with using "HTTPS://MYDYNAMICDNS.NO-IP.BIZ:450"

Moving forward with access to the Untangle box.

Fritz.box (further set ups):

Internet > Permit Access > Port Forwarding
Protocol: TCP
From Port: 443
to IP Address: 192.168.178.82 (fritz box IP to untangle box)
to Port: 443
Internet > Home Network > Network > Network Settings > IPv4 Routes
network: 192.168.2.1  (untangle internal network)
subnet mask: 255.255.255.0
gateway: 192.168.178.82 (fritz box IP for untangle box)

Untangle (set up):

Config > Network > Interfaces
External: eth0
Config: ADDRESSED
Current address: 192.168.178.82/24
is WAN: true
IPv4 configuration
Config type: AUTO (DHCP)
Address override: <blank> (current: 192.168.178.82)
Netmask Override: <blank> (currrent: /24 - 255.255.255.0)
Gateway override: <blank> (current: 192.168.178.1)
Primary DNS Override: <blank> (current: 192.168.178.1)
Secondary DNS Override: <blank>
IPv4 Options: <ticked> NAT traffic exiting this interface (and bridged peers)
Internal: eth1
Config: ADDRESSED
Current address: 192.168.2.1/24
is WAN: false
IPv4 Configuration
Address: 192.168.2.1
Netmask: /24 - 255.255.255.0
IPv4 Options: <ticked> NAT traffic coming from this interface (and bridged peers)
DHCP Configuration
Enable DHCP Serving <ticked>
Range Start: 192.168.2.100
Range End: 192.168.2.200
Config > Network > Hostname
Hostname: mydynamicdns
Domain Name: no-ip.biz
Dynamic DNS Service Configuration: <not enabled>
Config > Network > Advanced > Filter Rules > Input Filter Rules
<enabled> : Allow HTTPS on WANs
Config > Administration > Admin Accounts
Allow HTTP Administration: <ticked>
Config > Administration > Public Address
Use Manually Specified Address
IP/Hostname: mydynamicdns.no-ip.biz
Port: 443

Sorry about the length of this request but felt that as much as possible of what I have set up is required to be presented. I haven't placed information about the OpenVPN as I believe this needs to be dealt with after the above is addressed.

I look forward to any assistance that can be given to allow me to get this sorted.

Thanks
0
Comment
Question by:sunspots2002
  • 4
  • 2
7 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 39995528
Double NAT is no good
0
 
LVL 1

Author Comment

by:sunspots2002
ID: 39995604
ok double NAT is no good. What should I do? Switch off the NAT on the Fritx box or untangle?
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 39995782
Since nobody outside Germany seen fritz or box i'd suggest reducing it to simple cable extension so that people who have idea about untangle can help (or asking in German language forums if you think it has some valueable functionality)
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:sunspots2002
ID: 40002031
Hi gheist,
I would struggle with my non-existent German. :(

I've changed untangle to be bridged and allow Fritz.box (FB) to be the DHCP issuer. I also setup port forwarding to untangle from FB to port 4433. There was some conflict using 443. On Untangle I set up on Configuration > Network > Services > Local Services > HTTPS port with 4433.

On the Public Address I left port as 443.
Config > Administration > Public Address

    Use Manually Specified Address

    IP/Hostname: mydynamicdns.no-ip.biz

    Port: 443

I also had FB set up with the Dynamic DNS.

In untangle, Configuration > Network > Advanced > Filter Rules > Input Filter Rules.  I set up a rule of Destination Port is 4433 and protocol is TCP and source interface is ANY to PASS action.

From a remote connection I found that I was able to reach the untangle box using the dynamic DNS hostname with port 4433.

I later changed the public address to use port 4433 but didn't see any change when I connected remotely.

Any advice on what has changed and whether I should change anything else?

Thanks for taking the time to read and respond to my query.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 300 total points
ID: 40006408
I'm confused somehow, and think you are too.
You want to use OpenVPN, but enable HTTPS. Though both use SSL/TLS, they are not the same! If you enable HTTPS on a firewall's admin settings, it is usually for admin tasks - that is, the Web GUI (if available).
I have no clue why you think you should use the public DNS name on Untangle - only the WAN side of the Fritz!Box may have that address and name! Keep the Untangle completely with local IPs and names (as you can't switch of NAT on Fritz!Box, AFAIK).

Double NAT wouldn't be a problem here, as the Untangle FW should manage the OpenVPN connection and hence the "internal" NAT transparently. You would have one NAT for the (encrypted) tunnel connection, and in that connection another NAT for the "real" connection to the LAN. However, I wouldn't change that now as you already have switched to bridging successfully, and that should be better.

What do you mean with "I later changed the public address to use port 4433"?

Anyway, if you could reach the Untangle FW via public IP and port 4433, the Fritz!Box is forwarding traffic correctly.

Summarizing, you have to tasks to manage:
1) Making sure the port forwarding works from Internet
2) Making sure OpenVPN works on Untangle on the port as set up

First OpenVPN tests always include to run it with local IPs, so you can check the config files and certs aso. are correct and working. Only after that you should try to reach OpenVPN from outside your LAN.

On another note, if you change the Fritz!Box firmware, you might be able to run OpenVPN on it. But I don't have any knowledge (anymore) about the how-to, and never tried myself.
0
 
LVL 1

Author Comment

by:sunspots2002
ID: 40012063
Hi Qlemo
Thank you for the feedback.

I've been reminded that I hadn't attended to my question and your reply. Being Easter time has slipped by. Allow me some time to re-read your response and reply correctly to your queries.

Regards
0
 
LVL 1

Author Comment

by:sunspots2002
ID: 40012582
Hi Qlemo,
I'm confused somehow, and think you are too.
You want to use OpenVPN, but enable HTTPS. Though both use SSL/TLS, they are not the same! If you enable HTTPS on a firewall's admin settings, it is usually for admin tasks - that is, the Web GUI (if available).
I guess I am. Correct, I was thinking of using OpenVPN along with HTTPS for the firewall admin. Also, using OpenVPN for tunnel all requests.

I have no clue why you think you should use the public DNS name on Untangle - only the WAN side of the Fritz!Box may have that address and name! Keep the Untangle completely with local IPs and names (as you can't switch of NAT on Fritz!Box, AFAIK).

Looking at the different hostnames on Untangle and trying to get the Dynamic DNS working it does get confusing. Confusion and the connection not working you try to set up all names the same in the hope it will resolve the issue or at least eliminate it as an issue. I have found a switch to disable the NAT on Fritz!Box.

Double NAT wouldn't be a problem here,  ...
Yes, as you mentioned the bridge mode is working now and looks fine.

What do you mean with "I later changed the public address to use port 4433"?
I changed the port to 4433 as Fritz!Box wouldn't allow me to forward port 443 to Untangle. Fritz!Box uses port 443 for its remote admin. Once I activated the Fritz!Box remote admin, I was able to change the default port of 443 to 450. But, at the time I didn't realise and set the port to be 4433 for the public address.

I was able to use OpenVPN successfully. Thank you for the advice about testing OpenVPN on the LAN first. In regard to Fritz!Box, I prefer not to change the firmware to allow OpenVPN.

As I now have the admin to Untangle working and OpenVPN working as well, I'll try changing the Untangle names listed.

Regards
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

Do you have a computer or other electronic gear that is attached to a rat nest of cables, or alternatively have your cables all bundled nice at neat?  If so then read this post to sidstep common pitfalls. When I was a student at DeVry University,…
Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now